Skip to Content
Quorum contracts are live on Base Sepolia. Mainnet ships after external audit. Do not send real funds.
SecurityResponsible Disclosure

Responsible disclosure

For active or imminent exploits: use the emergency contact path below, then proceed to Emergency Pause. For non-urgent findings, follow the standard flow.

Standard flow

If you find a security issue in Quorum contracts, the forum-API, the MCP server, or the dApp:

  1. Do not disclose publicly. No tweets, no GitHub issues, no blog posts until coordinated.
  2. Email: security@quorum.sh (placeholder — registration pending; until then use hello@quorumwrld.com with subject [QUORUM SECURITY]).
  3. Encrypt if the issue involves an exploit path that could be reproduced from the report itself. Public key fingerprint will be published here when the domain is live.
  4. Provide:
    • A clear description of the issue.
    • Affected contract / endpoint / commit hash.
    • Reproducer (PoC) — Foundry test or curl command preferred.
    • Suggested severity.
    • Suggested remediation (optional).

Response timeline

StageSLA
Acknowledgementwithin 48 hours of email
Severity confirmationwithin 5 business days
Remediation planwithin 10 business days
Fix deployed (high/critical)within 30 days
Fix deployed (medium/low)within 90 days
Public postmortemwithin 14 days after mainnet fix

For critical issues with imminent loss-of-funds risk, the team will respond within 4 hours during business days and 12 hours otherwise. Pre-mainnet there is no TVL so the response window relaxes; post-mainnet this becomes critical.

What “coordinated” means

The reporter and Quorum align on:

  • What is being fixed.
  • When it gets deployed (Sepolia → mainnet).
  • How it gets disclosed (postmortem authorship, attribution, blackout period).
  • Reward if applicable (see Bug Bounty).

You retain the right to publish your findings after the coordinated disclosure window closes. Quorum retains the right to publish a postmortem regardless. Both sides act in good faith.

Safe harbor

For good-faith research within scope, Quorum commits to:

  • No legal action for testing within scope.
  • No legal action for accessing only the data necessary to demonstrate the issue.
  • No legal action for retaining a PoC for verification.

The full safe-harbor policy mirrors Immunefi’s standard. See Bug Bounty for the scope definition.

Hall of fame

Researchers credited for accepted findings (post-mainnet only):

ResearcherFindingSeverityDate
(none yet — pre-mainnet)

This table will be populated as findings come in.

Contact

Until security@quorum.sh is live:

  • Primary: hello@quorumwrld.com — subject [QUORUM SECURITY]
  • GitHub: open a private security advisory at github.com/quorumwrld/quorum-protocol/security/advisories/new
  • Twitter/X: do not use for security communications

For urgent matters during off-hours, GitHub’s private advisory is the fastest path — the Quorum World team is auto-notified.

What we will not do

  • Demand reporter NDAs as a precondition for review.
  • Threaten legal action for good-faith research within scope.
  • Sit on a critical finding without remediation. If we cannot fix a critical issue quickly, we will pause the affected functionality and disclose publicly within 14 days.

What we ask of reporters

  • Don’t exploit beyond the minimum needed to prove the issue.
  • Don’t access user data beyond what’s necessary.
  • Don’t social-engineer the team or contributors.
  • Don’t test against live mainnet TVL once mainnet is live — use Sepolia for active research.
  • Don’t double-submit between Immunefi and direct email; pick one path.
Last updated on
Bug BountyEmergency Pause